Another Data Integrity Warning Letter for an Indian Facility, This One with Explicit FDA Requests for Corrective Actions

In a bluntly-worded warning letter to contract manufacturer Sri Krishna Pharmaceuticals Ltd. issued April 1, 2016, we see another example of increasing FDA concern over data integrity issues at non-US drug manufacturing facilities, particularly those in India. This rather remarkable letter contains observations of GMP deficiencies in four general areas: (1) failure to include complete data in laboratory records; (2) failure to exercise appropriate controls over computer systems; (3) failure to establish adequate written procedures for production and process controls; and (4) failure in certain instances to follow established written procedures that existed. While the heading of each multi-part observation is somewhat bland, the body of each is quite detailed about data integrity issues and contains both specific descriptions of deceptive practices and FDA assertions that Sri Krishna has admitted to these deceptive practices.” We have previously discussed (see our post here), FDA warning letters on data integrity (18 out of 23 of CDER’s 2015 warning letters). Specifically, letters addressed to facilities in India and China (15 out of those 18) are running at record levels. This warning letter to Sri Krishna fits neatly into this clear pattern.

Moreover, the letter demands that Sri Krishna undertake three follow-up actions: (1) a “comprehensive investigation into the extent of the inaccuracies in data records and reporting,” including “interviews of current and former employees … by a qualified third party;” (2) a “current risk assessment of the potential effects of the observed failures on the quality of your drugs,” including the risk to patients; and (3) a “management strategy for your firm that includes the details of your global corrective action and preventive action plan,” and that includes “[i]nterim measures describing the actions you have taken or will take to protect patients and to ensure the quality of your drugs, such as notifying your customers, recalling product, conducting additional testing, … drug application actions, and enhanced complaint monitoring.”

The essence of the agency’s incomplete data observation is that Sri Krishna regularly deleted non-conforming test results and repeated tests in order to generate conforming results. The warning letter gives details on at least five different situations in which this occurred, including one in which 28 original data files were deleted and another in which a clock was changed prior to samples being reanalyzed. In some instances, “trial” tests were performed and the data from them stored on separate computer drives from those drives on which the data that were reported to FDA was stored.

Sri Krishna’s admissions of these violations are documented in numerous places in the warning letter: “Your management acknowledged that employees in your QC laboratories conduct trial HPLC injections prior to the injections submitted as the reported test results; “Your response acknowledges that an analyst deleted eight injections, including the blank, six standards, and a sample;” and “Your analyst deleted data from the first set of injections and submitted only the second set in the validation documentation. The analyst stated that he planned to back-date the preparation data within the worksheets.”

FDA even makes an allegation of a kind that this blogger has never seen before – that Sri Krishna falsified data specifically for inclusion in its response to FDA’s 483: “your response includes a chromatogram for trial injection … that differs from the chromatogram our investigator collected. It appears to have been reintegrated; the y-axis scale was changed, and only two of the original … peaks can be seen.”

Regarding Sri Krishna’s computer systems, the agency states that Sri Krishna quality control analysts used administrator privileges to make changes in manufacturing records, alter date and time settings, overwrite files and delete original data. While acknowledging that Sri Krishna committed after the inspection to set up user restrictions, discontinue certain practices, and institute audit trails for computerized systems, FDA expressed apparent deep unhappiness with the company’s response. Sri Krishna’s actions are “insufficient to correct the broad data manipulation and deletion problems observed at your facility and to prevent their recurrence.” FDA thus asked that Sri Krishna’s response clarify specific user roles for each laboratory system and “provide an assessment of the effectiveness of these newly implemented system controls.”

FDA’s citation of a failure to establish adequate written procedures concerns another apparent deception about a process performance qualification protocol for alternate manufacturing equipment for a specific product. The company is alleged to have said that it initiated a prospective qualification of this equipment, but FDA states that the protocol, while written, was not approved or implemented and the samples required were never collected. FDA rejects the company’s offer to perform a retrospective validation to fix this deficiency.

The allegation of a failure to follow correctly established written procedures is linked to an accusation of destruction of original batch records and substitution thereto of backdated replacement pages. Tantalizingly, the letter states that FDA found original pages from five batch records “discarded outside your facility,” but then sorely disappoints by failing to give any details about the dumpster diving that we imagined resulted in this discovery.

The agency’s detailed description of the corrective actions that it expects of Sri Krishna is unusual but seems to be part of a trend in warning letters. First, FDA requests a “comprehensive investigation” of the data integrity issues that covers all of the company’s laboratory and manufacturing operations, not just those found at fault by FDA, or a justification for exclusion of any part of these operations. The company is asked to assess and evaluate the effect of, via a third party, “data integrity deficiencies” and “[i]dentify omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies.” As mentioned previously, FDA specifically recommends that the company have a third party interview current and former employees “to identify the nature, scope, and root cause of data inaccuracies.”

Second, FDA requests “a current risk assessment of the potential effects of the observed failures on the quality of your drugs,” including an analysis of the risks to patients and the risk posed by continuing to operate.

Third, FDA wants a very detailed “management strategy for [the] firm that includes the details of [a] global corrective action and preventive action plan.” This should include a detailed corrective action plan on ensuring reliability and completeness of data and a root cause evaluation of the data integrity lapses, including details on what has happened to the employees implicated in these lapses. FDA also asks Sri Krishna to outline interim measures it will take to protect patients, such as notifying customers, conducting recalls, conducting additional testing and enhancing complaint monitoring. FDA notes that there is no evidence that Sri Krishna has informed its customers of manufacturing changes and ominously states it “is important that you … promptly notify[] … customers of a significant production problem that could interrupt supply or potentially pose a hazard to the consumer.” Long-term measures are also expected to be part of the corrective action plan, including “enhancements” to procedures, systems and “human resources.”

Coincidentally, this warning letter on data integrity has come out at almost the same time as a new FDA guidance on data integrity (see our post here). We continue to watch these developments closely, and to wonder whether more severe sanctions will be forthcoming from the agency.

Readers seeking further enlightenment on these issues or simply looking to gather good karma may want to register here for a PLI webinar on FDA compliance and enforcement strategies to be given by Jennifer D. Newberger, Jennifer M. Thomas and Anne K. Walsh of Hyman, Phelps & McNamara at 1:00 PM EST on April 27th or attend a conference on creation of effective documentation for FDA regulated products to be given by Brian Donato, Jeffrey Shapiro and Roger Thies of Hyman, Phelps & McNamara in Arlington, Virginia on May 3rd.